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(54) COMMUNICATION TERMINAL AND AD HOC NETWORK ROUT CONTROLLING 
METHOD 

(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a rout controlling methodetc. for preventing a 
risk of believing false rout control informationand for concealing address 
informationetc. of a transmission reception terminal and a relay terminal as much as 
possible in an ad hoc network. 

SOLUTION: A communication terminal capable of generating an ad hoc network route 
is configured by a transmitting receiving unit for performing a communication with 
other communication terminala route request generating unit for generating a route 
requesting message for requesting generation of an ad hoc network routean address 
storing unit for storing an address of a self terminal and an address of a reception 
terminala random number generating unit for generating a random numbera certificate 
publishing unit for publishing a certificate of the self terminala digital signature 
producing unit for producing a digital signature of the self terminaland a controlling 
unit for transmitting and receiving data configured from an address of the self 
terminalan address of the reception terminala random numbera certificateand a digital 
signature by adding to the route requesting message via the transmitting receiving 
unit in response to an ad hoc network protocol. 



CLAIMS 



[Claim(s)] 
[Claim 1] 

It is a communication terminal which has a route request generating part which 
generates a route request message which requires generation of a transmission and 
reception section which generation of an ad hoc network course is possibleand 
performs communication with other communication terminalsand an ad hoc network 
course. : 

An address storage section which memorizes an address of a self-terminaland an 
address of a receiving terminal; 

A random number generation part which generates a random number; 

A certificate issue section which publishes a certificate of a self-terminal; 

A digital signature preparing part which creates a digital signature of a self-terminal; 

A control section which transmits and receives data which added an address of a 

self-terminalan address of a receiving terminalthe aforementioned random numbera 

certificateand a digital signature to said route request messageand constituted them 

according to an ad hoc network protocol via said transmission and reception section; 

A communication terminal ** constituted. 

[Claim 2] 

It is the communication terminal according to claim land is a pan. : 

A secret key treating part which creates a secret key and enciphers said at least 

some of data; it reaches. 

Operation part which decodes received encrypted data; 
A communication terminal ** constituted. 
[Claim 3] 

It is an ad hoc path control method for generating an ad hoc network among two or 
more communication terminals. : 

A stage which carries Out broadcast transmission of the data which added and 
constituted a transmit-terminal addressa receiving terminal addressand a transmit- 
terminal digital signature to an ad hoc route request signal in a transmit terminal; 
A stage which attests a transmit-terminal digital signature transmitted from a 
transmit terminal in a relay terminaland adds and carries out broadcast transfer of a 
relay terminal address and the relay terminal digital signature to said ad hoc route 
request signal; 

A stage which attests said relay terminal digital signature and said transmit-terminal 
digital signature in a receiving terminal; it reaches. 

A stage which addresses an ad hoc course reply signal which added and constituted a 
receiving terminal digital signature to said received data in said receiving terminal to 
said transmit terminaland transmits; 



An ad hoc path control method ** constituted. 
[Claim 4] 

It is an ad hoc path control method for generating an ad hoc network among two or 
more communication terminals. : 

A stage of data which added and constituted a transmit-terminal address and a 
receiving terminal address to an ad hoc route request signal in a transmit terminal 
which enciphers using a public key of a receiving terminal in part at leastand carries 
out broadcast transmission of said data; 

A stage which adds and carries out broadcast transfer of the relay terminal address 
to said ad hoc route request signal in a relay terminal; 

A stage which addresses an ad hoc course reply signal which added said received 
data in a receiving terminal to said transmit terminaland transmits; 
An ad hoc path control method ** constituted. 
[Claim 5] 

An ad hoc path control method which is the ad hoc path control method according to 
claim 3and is characterized by having further a stage where said receiving terminal 
decrypts said received data in an attestation stage in the aforementioned receiving 
terminal using a self secret key. 
[Claim 6] 

An ad hoc path control method which is the ad hoc path control method according to 
claim 4and is characterized by what said transmit terminal determines a session key 
and it has the stage of performing hybrid encryption using the session key for in an 
encryption stage in the aforementioned transmit terminal. 
[Claim 7] 

An ad hoc path control method which is an ad hoc path control method given in any 
of the above-mentioned claim they areand is characterized by having further the 
stage of concealing the aforementioned relay terminal address. 
[Claim 8] 

An ad hoc path control method which is the ad hoc path control method according to 
claim 7and is characterized by a stage of concealing the aforementioned relay 
terminal address comprising a stage of concealing information on an upstream relay 
terminal using a part of information on a relay terminal. 
[Claim 9] 

An ad hoc path control method which is an ad hoc path control method given in any 
of the above-mentioned claim they areand is characterized by having further a stage 
which inserts a dummy address into said data. 
[Claim 10] 

An ad hoc path control method which is an ad hoc path control method given in any 
of the above-mentioned claim they areand is characterized by having further a stage 
which inserts straw-man padding into said data. 
[Claim 11] 



An ad hoc network system which contains the communication terminal according to 
claim 1 or 2 as a transmit terminaland contains a relay terminal and a receiving 
terminal further. 



DETAILED DESCRIPTION 



[Detailed Description of the Invention] 

[Field of the Invention] 

[0001] 

Especially this invention relates to the ad hoc network path control method which 
performs attestation and processing for privacy protectionand the communication 
terminal for it about an ad hoc network path control method and the communication 
terminal for it. 

[Background of the Invention] 
[0002] 

There is demand of connecting with a mobile radio communication network in 
connection with a huge expansion and the diversity of mobile communications demand 
from the mobile communication terminal in the exterior of the field which a mobile 
communications base station covers. From the direct one hop connection with a base 
station from the mobile communication terminal outside the cover region of a mobile 
communications base station being impossible. The method of using for a base station 
the wireless ad hoc network which makes multi-hop connection is proposed via other 
mobile communication terminals and simple relay stations installed temporarily. That 
isa wireless ad hoc network is a wireless network temporarily built by the personal 
digital assistant which a user usesthe simple relay station installed temporarilyetc. 
(refer to drawing 1 ). Each mobile communication terminal and a simple relay station 
build in an ad hoc routing protocoland spontaneous information is transmitted and 
received between each terminal according to thisand they constitute an ad hoc 
network. Since information will be received by various terminalsit is important to 
secure security and privacy in an ad hoc network. 
[0003] 

As an example of an ad hoc networkwhen the routing demand from a terminal 
arisesthere is a DSR (Dynamic Source Routing) method which generates a course. In 
a DSR methoda transmit terminal can send data using the course by getting to know 
the address of all the terminals (node) on the course to a receiving terminal. Since 
the terminal (node) which relays data can know the next destination using the channel 
information transmitteda relay terminal does not need to have channel information 
and it can be managed with comparatively light processing. By using an ad hoc 
networkit becomes possible to provide cellular communications servicean Internet 
access serviceetc. also to the mobile communication terminal out of the 



communications area which a mobile radio communication network provides. In such a 
communication configuration* works as a component of an ad hoc network and the 
both sides of a mobile radio communication networkand the communication terminal 
which bears mediation of the channel from an ad hoc network to a mobile radio 
communication network is called a gateway terminal (16 references of drawing 1 ). 
Heresince the gateway terminal D is an another name of the communication terminal 
which is carrying out direct continuation to the mobile radio communication 
networkarbitrary communication terminals can turn into the gateway terminal D. When 
the gateway terminal D moves out of the area which a mobile radio communication 
network provides* does not get used to a gateway terminal any longerbut becomes a 
mere mobile communication terminal. 
[0004] 

An ad hoc network is constituted as shownfor example in drawing 1. Although the 
example of mobile radio communication explainsan ad hoc network is not restricted to 
radiobut is useful also in a wire communication. The moving terminal S (12) forms an 
ad hoc network according to an ad hoc path control protocol. It is connected to the 
gateway terminal D (16) via the relay terminal T1 (14) and the relay terminal T2 
(15)and the mobile communication terminal S (12) constitutes the ad hoc network 
from an example of a graphic display. Since the gateway terminal D (16) is in the area 
which the base station B (18) coversit can connect with the base station B (18) via 
the gateway terminal D (16)and the moving terminal S (12) can receive the service 
from there (refer to patent documents 1). 
[0005] 

Hereit is IETF (for the purpose of The Internet Engineering Task Forceand the better 
architecture and the smooth operation of the Internet). Standardization of the 
Internet The outline of the conventional example of the path control in DSR (Dynamic 
Source Routing) currently examined by MANET (Mobile Ad-hoc Networks) WG (task 
force) of the organization which is developing the volunteer activity at the center .s 
shown in drawing 2 and drawing 3 . 

[° 006] , ■ , r • * 

The procedure of the conventional course establishment is explained referring to 

drawing 2 and drawing 3 . Although the transmit terminal S (Source) shown in dj^wjng 

2_and drawing 3 is explained as a thing equivalent to the moving terminal S of dj^wing 

lit may not be restricted to thisbut a gateway terminal may be sufficient as itand they 

may be other moving terminals. Although the receiving terminal D (Destination) shown 

in drawing 2 and drawing 3 is explained as a thing equivalent to the gateway terminal 

D of drawing l it may not be restricted to this but may be a moving terminal. Although 

the relay terminal T (Transmitter) shown in drawing 2 and drawing 3T1and T2 are 

explained as a thing equivalent to the relay terminals 1 4 and 1 5 of drawing 1t hey are 

not restricted to this. Since the relay terminal T1 of drawing 3 and T2 have 

composition and the the same functionin drawing 2t he one relay terminal T represents 



and is shown. 
[0007] 

When the transmit terminal S starts communication with the receiving terminal 
Drequest/reply generating part 222The signal of RREQ (Route REQuest) which is a 
control message for requiring generation of an ad hoc network course is generatedand 
the transmission and reception section 226 carries out broadcast transmission of the 
RREQ to a network. Address ADD S of a transmit terminal and address ADD D of a 
receiving terminal are read from the address storage section 227are added to 
RREQand are transmitted together. An address may be an IP addressfor example. The 
information which restricts the hop number which carries out re transfer may also be 
included in control message PREQ. 
[0008] 

The relay terminal T1 which received control message RREQ by the transmission and 
reception section 246If it turns out that its address ADD T1 memorized in the address 
storage section 247 is compared with address ADD D which receivedand there is 
nothing at addressing to itselfits address ADD T1 will be added and RREQ will be 
transmitted by broadcasting. 
[0009] 

The transmission processing as the terminal T1 that the relay terminal T2 is also the 

same is performed. 

[0010] 

The receiving terminal D which received control message RREQ. adding what copied 
relay address information to a control message called RREP (Route REPIy)if their 
address and ADD D which were memorized in the address storage section 267 are 
compared and it turns out that it is addressing to itself — a unicast — the transmit 
terminal S — it sends a reply. 
[0011] 

The relay terminal T2 which received RREP will transmit this signal by a unicastif its 

address is discovered to a relay address list. 

[0012] 

The processing as the terminal T2 that the relay terminal T1 is also the same is 

performed. 

[0013] 

From the combination of address information ADD S and ADD D the transmit terminal S 

which received RREP can recognize that this signal is the response to RREQ which 

he transmitted beforeand can know relay path information (S->T1->T2->D). 

[Patent documents 1] JP2003-230167A 

[Description of the Invention] 

[Problem(s) to be Solved by the Invention] 

[0014] 

Howeverin the DSR ad hoc network in conventional technologysince attestation of 



RREQ which is a path control signalor RREP was omittedthere was a danger of 
believing the mistaken path control information. Since transceiver person 
informationthe address information of a relay nodeetc. were stored in a header in the 
state where anyone can reada third party is able to specify a transceiver personand 
there were a problem of privacyetc. 
[0015] 

ThenSUBJECT of this invention is providing the path control method etc. which can 
avoid the danger of believing the mistaken path control information by performing 
attestation of RREQ and RREP in an ad hoc network. 
[0016] 

It is providing the path control method etc. which can improve the privacy of the 
sender receiver terminal to a third party by concealing the address information of a 
sender receiver terminal or a relay terminaletc. as much as possible. 
[Means for Solving the Problem] 
[0017] 

Generation of an ad hoc network course according to one feature of this invention for 
attaining above-mentioned SUBJECT is possibleA communication terminal which has 
a route request generating part which generates a route request message which 
requires generation of a transmission and reception section which performs 
communication with other communication terminalsand an ad hoc network courseA 
digital signature preparing part which creates a digital signature of a certificate issue 
section; self-terminal which publishes a certificate of a random number generation 
part; self-terminal which generates an address storage section; random number which 
memorizes an address of a self-terminaland an address of a receiving terminal; 
according to an ad hoc network protocollt comprises control-section; which transmits 
and receives data which added an address of a self-terminalan address of a receiving 
terminala random numbera certificateand a digital signature to a route request 
messageand constituted them via a transmission and reception section. 
[0018] 

Furthersuch a mobile communication terminal may create a secret keyand may have 
the operation part which decodes secret key treating part; and received encrypted 
data which encipher at least some data. 
[0019] 

An ad hoc path control method for generating an ad hoc network among two or more 
communication terminals according to one feature of this invention for attaining 
above-mentioned SUBJECTA stage which carries out broadcast transmission of the 
data which added and constituted a transmit-terminal addressa receiving terminal 
addressand a transmit-terminal digital signature to an ad hoc route request signal in a 
transmit terminal; In a relay terminalA stage which attests a transmit-terminal digital 
signature transmitted from a transmit terminaland adds and carries out broadcast 
transfer of a relay terminal address and the relay terminal digital signature to an ad 



hoc route request signal; In a receiving terminalln stage; and a receiving terminal 
which attest a relay terminal digital signature and a transmit-terminal digital 
signatureit comprises stage; which addresses an ad hoc course reply signal which 
added and constituted a receiving terminal digital signature to received data to a 
transmit terminaland transmits. 
[Effect of the Invention] 
[0020] 

If working example of this invention is followedthe danger of believing the mistaken 

path control information is avoidable by performing attestation of RREQ and RREP. 

The privacy protection of the sender receiver terminal to a third party can be raised 

by concealing the address information of a sender receiver terminal or a relay 

terminaletc. as much as possible. 

[Best Mode of Carrying Out the Invention] 

[0021] 

Hereaftereach working example of this invention is describedreferring to Drawings. 
Firstthe premise about each working example of this invention is expressed. 
[0022] 

- By a means of some kindall the nodes (terminal) hold the certificate of route CA 
(Certificate Authoritycertificate authority)can publish their own certificateand can 
create a secret key. 

[0023] 

- By a means of some kindthe address and certificate of a communications partner 
can be known before a communication start. 

[Work example 1] 
[0024] 

Working example 1 of this invention is described referring to drawing 4 and drawing 5. 
The moving terminal 400 according to working example of this inventionlt has 
request/reply generating part 422the control section 424the transmission and 
reception section 426the address storage section 427the address comparison part 
428the random number generation part 430the certificate issue section 440the digital 
signature preparing part 450the secret key treating part 460the operation part 470and 
the verification part 480. This composition is not restricted to a transmit terminalbut 
has composition also with same relay terminal and receiving terminal. This invention is 
not restricted to mobile radio communicationbut can be applied also to a wire 
communication. 
[0025] 

The transmission and reception section 426 carries out broadcast transmission of the 
route request control message RREQ generated in request/reply generating part 422 
to a network. 
[0026] 

In working example 1 in RREQattestation was applied between each hop 



(namelybetween the transmit-terminal S-> relay terminal T1 -> relay terminal T2 -> 
receiving terminals D)and attestation is applied only in between (namelybetween the 
receiving terminal D-> transmit terminals S) by RREP as shown in drawing 5 . It adds 
shading to a different portion from drawing 3 among drawing 5 and it is shown. Nonce 
shown in drawing 5 means the random number generated in the random number 
generation part 430. Cert x means the certificate of the terminal X which a certificate 
issue section publishes. Sig x is a digital signature by the terminal X. 
It is created by the digital signature preparing part. 

[0027] 

In DSR of a conventional examplealthough attestation of RREQ and RREP is 
omittedthese signals are attested in this example. Since every relay node is attested 
by RREQit is thought by RREP of a reply that attestation of a between is enough. 
[0028] 

It explains per operation of each terminal below. The random number generation part 
430 of the transmit terminal S determines the random number Nonce first. The 
certificate issue section 440 publishes Cert s . The control section 424 adds Nonce and 
own certificate Cert s to control message RREQ. The random number Nonce is added 
in order to protect a network from a resending attack. The receiving terminal adds a 
transmit terminal's own certificate to RREQ in order not to necessarily know the 
information on a transmit terminal. The digital signature preparing part 450 creates 
own digital signature Sig s Nonce and for all the fields of the signal RREQ which added 
certificate Cert s . The transmission and reception section 426 transmits to a network 
the signal RREQ with which NonceCert s and Sig s were added by broadcasting. 
[0029] 

The verification part 480 of the relay terminal T1 which received the signal RREQ 
verifies Nonce contained in the received signal RREQ by a publicly known method. 
When Nonce is the same as the value of Nonce which received beforeit is recognized 
as this RREQ being retransmission of messageand cancels. When Nonce is the first 
value to receivethe verification part 480 verifies digital signature Sig s of a transmit 
terminal by a publicly known method using certificate Cert s added. If satisfactory as a 
result of verificationit will check that ADD D is compared with its address and there is 
nothing at addressing to itself. Nextaddress ADD T1 and certificate Cert T1 of relay 
terminal T1 self are added to the received signaland digital signature Sig T1 of relay 
terminal T1 self is created to the whole added signal. ADD x1 Cert T1 and RREQ that 
added Sig T , are transmitted to a network by broadcasting. 
[0030] 

The processing as the relay terminal T1 that the relay terminal T2 is also the same is 
performed. Howeverdigital signature Sig T , of the relay terminal T1 is verified using 
certificate Cert T1 addedADD T2 Cert T2 and Sig T2 are added to the RREQ signal received 
from the relay terminal T1and it transmits to a network by broadcasting. 



[0031] 

The verification part 480 of the receiving terminal D which received the RREQ signal 
from the relay terminal T2 verifies Nonce. When Nonce is the same as the value of 
Nonce which received beforeit is recognized as this RREQ being retransmission of 
messageand cancels. When Nonce is the first value to receivedigital signature Sig T2 of 
a relay terminal is verified using certificate Cert T2 added. ADD D is compared with its 
address and it recognizes that it is addressing to itself. Digital signature Sig T1 of a 
relay terminal is verified using certificate Cert T1 added. Digital signature Sig s of a 
transmit terminal is verified using certificate Certs added. The turn of these 
processings may be changed. 
[0032] 

The copy of the contents of RREQ is added to the reply control message RREP 
generated by request/reply generating part of the receiving terminal D. Digital 
signature Sig D of the receiving terminal D is created for all the fields of the RREP 
signal which added the copy of the contents of RREQ. RREP which added Sig D is 
transmitted to transmit-terminal S by a unicast. 
[0033] 

The relay terminal T2 which received the RREP signal from the receiving terminal D 
verifies Nonce. Since its address ADD T2 can be discovered to a relay address listthis 
signal is transmitted by a unicast as it is. 
[0034] 

The processing as the relay terminal T2 that the relay terminal T1 is also the same is. 

performed. 

[0035] 

The verification part 480 of the transmit terminal S which received the RREP signal 
by the relay terminal T1 course performs the following processingsafter verifying 
Nonce first. Since its address ADD S cannot be discovered to a relay address listit is 
verified whether it is RREP addressed to itself. He recognizes that it is the response 
to RREQ which transmitted before from the combination of ADD s ADD D NonceCert s and 
Sig s . Sig D is verified. Sig for every relay path is verified. That isRREP is transposed to 
RREQ and Sig D is removed. After verifying Sig T2 ADD T2 Cert T2 and Sig T2 are removed. 
After verifying Sig T1 ADD T1 Cert T1 and Sig T , are removed. Relay path information (S- 
>T1->T2->D) is become final and conclusive. 
[Work example 2] 
[0036] 

Working example 2 of this invention is described referring to drawing 6 thru/ or 
drawing 10 . Although drawing 6 is the same figure as drawing 5 it shows the 
information about S and D which are exposed by the third party by shading. As shown 
in drawing 6t here is a problem that privacy cannot be protectedin working example 1. 
For examplein the area where a utilizing user is limitedfor round robin of a certificateif 
Cert s pullsthere is a danger that the transmit terminal S will become clear. 



[0037] 

Thenworking example enciphered and concealed for the improvement in privacy 
protection so that only S and D may understand the shading field of drawing 6 is 
described. The common key encryption system which is a fundamental cipher system 
is a method which the receiving terminal D which the transmit terminal S enciphered 
plaintext data using the common keytransmitted the enciphered dataand received it 
decrypts using the same common key. From the place whose encryption and 
decryption are the same processings of an opposite directionit is also called a 
"symmetrical algorithm." High-speed processing is attained from using the same key 
as encryption and decryption. Howeverwhen a "common key" leaks to a third 
partythere is a disadvantageous point that the danger that all subsequent codes will 
be decoded becomes high. 
[0038] 

In the example shown in drawing 7 a transient address is applied as address ADD S of 
the transmit terminal Sand the method which applied public-key-encryption-ization 
purely is explained to others. A public-key crypto system or an unsymmetrical 
algorithm is a method using the key which is differentrespectively as the key used for 
encryptionand a key used for decryption. Key of one of the two open to a partner is 
called a "public key." A receiving terminal creates a "secret key" and a "public key" 
in a pair. The direction of a "public key" is exhibited and the "secret key" is kept with 
the receiving terminal. A transmit terminal obtains the public key of a receiving 
terminalenciphers plaintext data using the keyand transmits encrypted data. The 
receiving terminal which received encrypted data decrypts encrypted data using the 
kept secret key. 
[0039] 

HereE x [y] means enciphering the plaintext y using the public key of X. In the transmit 
terminal S shown in drawing 7 address ADD D of the receiving terminal DCertificate 
Cert s and digital signature Sig s of the transmit terminal S are enciphered by the public 
key of the receiving terminal D (E D [ADDjEo [CertjEo [SigJ). The receiving terminal 
D which received these encrypted data is decrypted using the kept secret key. When , 
sending a replydigital signature Sig D of self is enciphered by the public key of the 
transmit terminal S (E s [SigJ). Howeverthere are the following problems in this 
method. 
[0040] 

1. Since the coding result to the same plaintextssuch as (original RSA)becomes the 
always same value depending on the algorithm of public key encryptionalthough ADD D 
is unknowna "new" address called E D [ADDj is always exposedand the danger of 
being pursued exists. 

[0041] 

2. The same danger exists also to a transient address. 
[0042] 



Thereforethough the same value is encipheredthe powerful measure [ direction / 
where a result different each time was obtained ] to disclosure of privacy is done 
more. 
[0043] 

Working example 2 which applied the hybrid code as shown in drawing 8 as working 
example over this problem is described. According to the hybrid cipher systemthe 
following processings are performed by a sender receiver terminal. Beforehandboth 
the sender receiver terminal S and D have shared the common key. The receiving 
terminal D creates a "secret key" and a "public key" in a pair. The direction of a 
"public key" is exhibited and the "secret key" is kept with the receiving terminal D. 
The transmit terminal S obtains the public key of the receiving terminal Denciphers a 
common key using the public keyand sends it to the receiving terminal D. Using the 
common key which the transmit terminal S encipheredsymmetrical key encryption of 
plaintext data is performed and encrypted data is transmitted. The receiving terminal 
D which received the common key enciphered by the public key and encrypted data 
decrypts an encrypted common key using the kept secret key. Encrypted data is 
restored using the decrypted common key. In order for the plaintext data itself to 
perform encryption/decryption with a common cipher system with a quick speedhigh- 
speed processing speed is obtained. In order to improve confidentialityit is also 
possible to change the above-mentioned common key for every session. In that 
casethe transmit terminal S performs symmetrical key encryption of data using a 
disposable common key (referred to as Session Key) for every sessionenciphers 
Session Key by a public keyand notifies to the receiving terminal D. 
[0044] 

In working example shown in drawing 8 a transient address is applied to transmit- 
terminal address ADD s and a hybrid code is applied to others. Belowit explains 
focusing on different processing from drawing 3 . 
[0045] 

The random number generation part 430 (refer to drawing 4 ) of the transmit terminal 
S determines transient address ADD S of a transmit terminal at random. The random 
number generation part 430 determines the session key (Session Key) at random 
furtherand the secret key treating part 460 enciphers by the public key of the 
receiving terminal Dand creates E D [Session Key]. Since E D [Session Key] can serve 
also as the meaning of Nonceit deletes Nonce in drawing 3 and transposes E D 
[Session Key] to the position instead. The secret key treating part 460 obtains the 
output (pseudo-random number series) of a symmetrical key code using Session Key. 
The operation part 470 calculates the exclusive OR of transmitHierminal transient 
address ADD s receiving terminal address ADD D certificate Cert s of a transmit terminal 
and digital signature Sig s (signature for all the field)and the above-mentioned pseudo- 
random number series. The transmission and reception section 426 sets the whole to 
RREQand carries out broadcast transmission. 



[0046] 

The relay terminal T1 which received RREQ assumes that RREQ which has specific 
length is RREQ from Sand does not perform verification of Sig s (the management to 
this problem is mentioned later.)but carries out the same processing as drawing 3 and 
is transmitted. A relay terminal also carries out same processing and is transmitted. 
[0047] 

The receiving terminal D which received RREQ from the relay terminal T2 performs 

the following processings. 

[0048] 

Encrypted common key E D [Session Key] which received is decrypted using its own 
secret keyand a common key (Session Key) is obtained. The output (pseudo-random 
number series) of a symmetrical key code is obtained using Session Key obtained as a 
result of decoding. Data can be restored by taking the exclusive OR of the acquired 
pseudo-random number series and the field currently kept secret. 
[0049] 

In the case of a replyit re-enciphers using the newly created pseudo-random number 
series (it differs from the random number series at the time of reception) by the 
random number generation part of the receiving terminal D. That isthe exclusive OR 
of a new pseudo-random number seriesand ADD s ADD D Cert s Sig s and SigD is taken. 
Thereforethe mask of the random number series of S and D will be given to ADD S of 
RREPADD D Cert s and Sig s respectively. 
[0050] 

S which received RREP transmitted via the relay terminal T1 and T2 performs the 

following processings. 

[0051] 

When verifying whether it is RREP addressed to itselfthe pseudo-random number 
series which the receiving terminal D set up is removed. Although reference was not 
made in particular about the use mode of the symmetrical key code until nowin order 
to output a pseudo-random number seriesuse with CTR mode is common. 
[0052] 

The outline in CTR mode is shown in drawing 9 . As for Initialization Vector 
(henceforth the following)* is desirable that it is sharable in secrecy among 
transceiver persons. As for a counter (henceforth the following)in order to 
synchronize among transceiver persons and to reduce the influence of a step-outit is 
desirable to add a raw value to a packet and to transmit it. 
[0053] 

Drawing 10 is the example which assumed CTR mode in the use mode of the 
symmetrical key code in drawing 8 . It explains below focusing on different processing 
from drawing 5 . 
[0054] 

IV decides to connect with Session Key and to transmit (it displays with the sign of 



"||" below)and is taken as Seed=Session Key || Iv. It enables it to choose ct 
independently with the transmit terminal S and the receiving terminal D (it is 
respectively considered as ct s and ct D )and it adds this field to the head of a packet. 
Since an order of a packet will leak to a third party if ct continues incrementallya 
sending person decides to assign a random value. Since ct also contained the 
implications of NonceED [Session Key] had been regarded as Nonce until nowbut 
belowct shall play the role of Nonce. 
[Work example 3] 
[0055] 

Working example 3 of this invention is described referring to drawing 1 1 and 12. 
Although drawing 1 1 is the same figure as drawing 1 P it shows the information about 
the relay terminal (node) exposed by the third party by shading. If the necessity for 
relay information is considered anewin order for the transmit terminal S and the 
receiving terminal D to perform Source Routingit is necessary to get to know the 
information on all the relay terminal butand the relay terminal itself is enough if the 
following judgment can be performed. 
[0056] 

1. That check which is addressing to itself to RREQjustification of information from 
last relay terminal. 

[0057] 

2. Is he contained in a transmission address list to RREP or not? 
[0058] 

Thereforesince disclosure of unnecessary information has the danger of becoming an 
offensive materialit is desirable to conceal as much as possiblealso about the 
information on a relay terminalso that only the transmit terminal S and the receiving 
terminal D may be known. Sobelowthe example concealed so that only S and D may 
understand the shading field of drawing 1 1 f or improvement in privacy is explained. 
[0059] 

In order to conceal the shading field of drawing 11 drawing 12 applies a public key 
temporarily and shows at RREQ the example to which the object of the symmetrical 
key code was expanded by RREP. It explains below focusing on different processing 
from drawing 8 and drawing 10 . 
[0060] 

The random number generation part 430 of the transmit terminal S determines the 
pair of a secret key (K-) at random in transmission of RREQ a public key (K+) and 
temporarily temporarily. Although secret key K- is added to RREQ public key K+ and 
temporarily temporarily and it transmitslet only secret key K- be an object of the 
exclusive OR of a pseudo-random number series temporarily. 
[0061] 

The relay terminal T2 which received RREQ carries out accumulation encryption of 
the information on a former relay terminal (in this caseADD TI Cert T1 Sig T1 ) using K+ from 



itself. Even when the relay terminal which is malicious by carrying out accumulation 
encryption omits former relay terminal information by an inverse ramp from itselfit 
can avoid that detection becomes impossible with the receiving terminal D. 
[0062] 

The receiving terminal D which received RREQ performs the following processings. 
[0063] 

Sig for every relay path is verified. After verifying Sig X2 ADD T2 Cert T2 and Sig X2 are 
removed. The whole information on a relay terminal is decoded temporarily using 
secret key K-. Sig T1 is verified. ADD T ,Cert T) and Sig T , are removed. Sig s is verified. 
[0064] 

Generallyonly the number of times of relay guessed from the length of the whole relay 
terminal information will repeat processing of a following series. That isthey are 
decodingverification of outermost Sigand processing of a series of removal of 
outermost additional information in secret key K- temporarily. 
[0065] 

When the receiving terminal D sends a replyto all the information copied from 
RREQexclusive OR with the pseudo-random number series (it differs from the random 
number series at the time of reception) newly created with the receiving terminal D is 
takenit re-enciphersand RREP is created. The object domain of a mask pattern will be 
expanded and a mask pattern will be applied also to K-K+E D 
[Seed]ADD Tl Cert Tl Sig T1 ADD T2 Cert T2 and Sig T2 . 
[0066] 

Since the mask pattern is hung on all the information copied from RREQADD T , and 
ADD T2 are concealed and discernment of them becomes impossible in a relay terminal. 
Thenit stores in the relay address list field in which the raw value of ADD T1 and ADD T2 
was established newly. 
[0067] 

The transmit terminal S which received the RREP signal performs the following 

processings. 

[0068] 

Encrypted common key E D [Seed] which received is decrypted and verified. Since its 
address ADD S cannot be discovered to a relay address lista random number series is 
removed. He recognizes that it is the response to RREQ which transmitted before 
from the combination of ADD s ADD D SeedCertsand Sig s . Sig D is verified. Sig for every 
relay path is verified. That isRREP is transposed to RREQ and Sig D is removed. After 
verifying Sig T2 ADD T2 Cert T2 and Sig T2 are removed. After verifying Sig T1 ADD T1 Cert T1 and 
Sig T1 are removed. Relay path information (S->T1->T2->D) is become final and 
conclusive. 
[Work example 4] 
[0069] 

Working example 4 of this invention is described referring to drawing 13 and drawing 



1_4. Although drawing 13 is the same figure as drawing 1 2 it shows the information 
about the relay terminal (node) exposed by the third party by shading. It is desirable 
to conceal as much as possiblealso about the address of a relay terminalso that the 
transmit terminal Sthe receiving terminal Dand the relay terminal itself may be known. 
Thenworking example concealed so that the transmit terminal Sthe receiving terminal 
Dand the relay terminal itself may understand the shading field of drawing 1 3 f or 
improvement in privacy is described. 
[0070] 

Although there is the method of making ADD T1 and ADD T2 a transient address as easy 
managementsince the relay address same for a while will be applied through two or 
more packetsthe danger of being exposed of the relevance of a packet exists only by 
this method. Thereforestructure stronger against disclosure of privacy is done by the 
direction where a different transient address for every packet is applied. In order to 
cope with this problempractical use of a public key and a hash function is considered 
temporarily. 
[0071] 

In order that drawing 14 may conceal the shading field of drawing 1 3 in RREQit is the 
example which enciphered the random number by the public key temporarilyand 
applied the hash function to the random number in RREP. It explains below focusing 
on different processing from drawing 9 . The random number which rand x determined 
at the terminal Xand h (y) mean the hash value of y. A hash function means the 
existing function and procedure for summarizing from enumeration of character 
stringssuch as a document and a numberto fixed length's data. The value outputted 
through a function is called a "hash value." The hash function "SHA-1 " and "MD5" is 
typicaland since all are one directional functionsit is impossible to presume the 
original text from generated data. If both are compared in quest of the hash value of 
data at the both ends of a course when transmitting and receiving data through a 
communication lineit can be investigated whether data is altered in the middle of 
communication. 
[0072] 

The relay terminal T1 which received RREQ sets up E K+ [rand T1 ] instead of address 

ADD T1 of self. 

[0073] 

T2 performs the same processing as T1. 
[0074] 

D which received RREQ acquires rand T) and rand T2 and applies h (rand T1 ||ct D ) and h 

(rand T2 ||ct D ) instead of ADD T1 and the raw value of ADD T2 . 

[0075] 

T2 which received RREP recognizes its address as h (rand^Hc^). 
[0076] 

T1 performs the same processing as T2. 



[0077] 

The transmit terminal S which received RREP performs the following processings. 
[0078] 

h (rand s ||ct D ) is inspected when discovering its address with a relay address list. 
rand T1 and rand T2 are acquired. 
[Work example 5] 
[0079] 

Working example 5 of this invention is described referring to drawing 14 thru/ or 

drawing 16 . 

[0080] 

When drawing 14 is referred tothe packet length of RREQ and the relay address list of 
RREP show that the danger that the information about the transmit terminal S and 
the receiving terminal D will leak as follows is high. 
[0081] 

- RREQ : packet length shows that the relay terminal T1 is next to the receiving 
terminal S. 

[0082] 

- RREP : if the relay terminal T1 and the relay terminal T2 conspire (conspiracy)a 
relay address list shows that the receiving terminal D is a next door (next door of 
ST1) of the relay terminal T2. Thenthe example which utilizes dummy information 
(random number) and conceals the information on the transmit terminal S and the 
receiving terminal D as much as possible to the transmit terminal S and the receiving 
terminal D by [ which is a relay terminal / that ] making it act like is explained. 
[0083] 

Drawing 1 5 gives each of the RREQ signal from the transmit terminal Sand the RREP 
signal from the receiving terminal D dummy informationand it is made to serve it as if 
both terminals were relay terminals. It explains below focusing on different processing 
from the above-mentioned example. The transmit terminal S gives dummy relay 
terminal information (Dummy1Dummy2 which mean a part for 1 relay by drawing 15) 
into a RREQ signal. Since dummy information existseven if exposed of the information 
on the transmit terminal Sit sees from a third party and distinction with a master 
station and a relay terminal does not stick. 
[0084] 

The relay terminal T1 which received the RREQ signal verifies Sig s . Since verification 
of Sig s was not completed in the example of the just before aboveit assumed that 
RREQ of specific length was RREQ from Sand verification of Sig s was not performed. 
In this examplesince S carried out **** of a relay terminalcertificate Cert s could be 
revealedand attestation became possible. 
[0085] 

D which received RREQ performs the following processings. 
[0086] 



It decrypts temporarily using secret key K-and Sig for every relay path is verified in 
an order from the re-outsideand verification processing is repeated until Cert s 
appears. Although only the number of times of relay guessed from the length of the 
whole relay node information had repeated processing in the example of the just 
before abovesince S carries out **** of a relay terminalthe method is inapplicable by 
this example. 
[0087] 

In the receiving terminal Da dummy address (drawing 15 DummyADDI for 
twoDummyADD2) is added to the relay address list of a RREP signaland exclusive OR 
with a pseudo-random number series is taken. 
[0088] 

The transmit terminal S which received the RREP signal verifies Sig for every relay 

path like the transmit terminal D. 

[0089] 

Herewhen drawing 15 is seen wellit turns out that there is a danger that the 
information about the number of relay stages will leakfrom the packet length of a 
RREP signal. First of allthe contents of the RREP signal are enough if the transmit 
terminal S and the receiving terminal D can be recognizedand a third party does not 
need to identify. Thenthe example which conceals the history of a RREP signal as 
much as possible is explained below. 
[0090] 

Drawing 1 6 is the example which concealed the history of RREP as much as possible. 
It explains below focusing on different processing from the above-mentioned example. 
[0091] 

The receiving terminal D performs the following processings in creation of a RREP 

signal. 

[0092] 

Instead of RREPthe transmit terminal S adds the 2nd identification field (RREP/Data) 
that can distinguish RREP or Data. Padding of dummy information (random number) is 
added (Dummy Padding in drawing 16 ). The Length field is added and the length 
except Dummy Padding is set up. The mask pattern which the receiving terminal D 
set up is covered over threethe 2nd identification fieldDummy Paddingand Length. 
[0093] 

The transmit terminal S which received RREP/Data performs the following 
processingsafter removing the mask pattern which the receiving terminal D set up. 
[0094] 

1 . Recognize that it is RREP from the 2nd identification field. 
[0095] 

2. Remove Dummy Padding in consideration of the Length field. 
[Work example 6] 

[0096] 



Working example 6 of this invention is shown in drawing 1 7 . Working example 6 shown 
in drawing 1 7 is an example of the mode included all above-mentioned working 
example. Thereforeexplanation is omitted. 
[Work example 7] 
[0097] 

Nexttemporarilysupposing T2 is a malicious relay terminalthe relay terminal T2 can 
cancel the information on the relay terminal T1 intentionally. Thenthe example for 
coping with such an evil deed is explained below. 
[0098] 

It explains with reference to drawing 17 . The mechanism of detecting the information 
on the relay terminal T1 having been canceled by giving indivisible relation to the 
information on the relay terminal T1 and the information on terminal Dummy2 in front 
of that is considered. 
[0099] 

As shown in drawing 18 in the relay terminal T1 encryption by the block cipher which 
uses K T ,= h (rand T ,Cert T1 ) based on the information on the relay terminal T1 as a key 
is given to the information on Dummy2 which is a terminal in front of that. rand T1 is a 
certificate of the terminal T1 in which a certificate issue section publishes the 
random number determined at the terminal Hand Cert T1 . 
h (y) means the hash value of y. 

[0100] 

Also in the relay terminal T2encryption by the block cipher which uses K T2 = h 
(rand T2 Cert T2 ) based on the information on the relay terminal T2 as a key is given to 
the information on T1 which is a terminal in front of that. Thereforein order to restore 
this encryptionthe receiving terminal D needs to get to know right relay terminal 
information. 
[0101] 

Although this example was described taking the case of the case where Dummy is 
usedthe invention concerning this example can be applied also about the relay 
terminal which existsand can be applied also to the other various composition. The 
arbitrary terminal information of not only the last terminal information but the upper 
stream may be enciphered. 
[0102] 

Even if a malicious relay terminal cancels the information on an upstream relay 
terminal intentionally by having the above compositionin the receiving terminal Dthe 
information on the terminal in front of the canceled relay terminal will be decoded 
correctly. In this waythe receiving terminal D can detect this forged course. 
[0103] 

Thusaccording to this examplewithout enlarging the processing load by a relay 
terminal so muchforgery of the relay terminal information by a malicious relay terminal 



can be preventedchannel information can be concealed so that it cannot forgeand a 
transceiver person's privacy to a third party improves. 
[Industrial applicability] 
[0104] 

In the radio or the wire communication field as which secrecy is requiredthe 

communication terminal and ad hoc network path control method according to this 

invention can be used. 

[Brief Description of the Drawings] 

[0105] 

[Drawing 1] It is a key map showing the outline of the conventional ad hoc network. 
[Drawing 2] It is a schematic block diagram of the moving terminal in which the 
conventional ad hoc network construction is possible. 

[Drawing 3] lt is a chart which shows the data of the path control signal for the 
conventional ad hoc network construction. 

[Drawing 4] It is a block diagram of the moving terminal according to working example 
of this invention. 

[Drawing 5] It is a chart according to working example 1 which shows the data of the 
path control signal for ad hoc network construction. 

[Drawing 6] It is a chart which shows the data of the path control signal for describing 
working example 2and disclosure of the sender receiver terminal to a third party is 
shown. 

[Drawing 7] It is a chart according to working example 2 which shows the data of the 
path control signal for ad hoc network constructionand the transient address is used 
for ADDS. 

[Drawing 8] lt is a chart according to working example 2 which shows the data of the 
path control signal for ad hoc network constructionand the hybrid code is used. 
[Drawing 9] It is a key map according to working example 2 showing the outline in CTR 
mode. 

[Drawing 10] It is a chart according to working example 2 which shows the data of the 
path control signal for ad hoc network constructionand CTR mode is used. 
[Drawing 11] It is a chart which shows the data of the path control signal for 
describing working example 3and disclosure of the relay information to a third party is 
shown. 

[Drawing 12] It is a chart according to working example 3 which shows the data of the 
path control signal for ad hoc network constructionand the public key is used 
temporarily. 

[Drawing 1 3] It is a chart which shows the data of the path control signal for 
describing working example 4and disclosure of the relay terminal address to a third 
party is shown. 

[Drawing 14] It is a chart according to working example 4 which shows the data of the 
path control signal for ad hoc network constructionand use of the hash function is 



shown. 

[Drawing 15] It is a chart according to working example 5 which shows the data of the 
path control signal for ad hoc network constructionand dummy information is added. 
[Drawing 16] It is a chart according to working example 5 which shows the data of the 
path control signal for ad hoc network constructionand is the example which 
concealed the history of RREP as much as possible. 

[Drawing 17] It is the chart which each working example contained altogether and 
which shows the data of the path control signal for ad hoc network construction. 
[Drawing 18] It is a chart according to working example 7 which shows the data of the 
path control signal for ad hoc network constructionand is an example which prevents 
cancellation of a relay terminal. 
[Description of Notations] 
[0106] 

400 Moving terminal 

422 Request/reply generating part 

424 Control section 

426 Transmission and reception section 

427 Address storage section 

428 Address comparison part 

430 Random number generation part 
440 Certificate issue section 
450 Digital signature preparing part 
460 Secret key treating part 
470 Operation part 
480 Verification part 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 
[0105] 

[Drawing 1] It is a key map showing the outline of the conventional ad hoc network. 
[Drawing 2] It is a schematic block diagram of the moving terminal in which the 
conventional ad hoc network construction is possible. 

[Drawing 3] lt is a chart which shows the data of the path control signal for the 
conventional ad hoc network construction. 

[Drawing 4] It is a block diagram of the moving terminal according to working example 
of this invention. 

[Drawing 5] It is a chart according to working example 1 which shows the data of the 
path control signal for ad hoc network construction. 

[Drawing 6] It is a chart which shows the data of the path control signal for describing 



working example 2and disclosure of the sender receiver terminal to a third party is 
shown. 

[Drawing 7] lt is a chart according to working example 2 which shows the data of the 
path control signal for ad hoc network constructionand the transient address is used 
for ADDS. 

[Drawing 8] It is a chart according to working example 2 which shows the data of the 
path control signal for ad hoc network constructionand the hybrid code is used. 
[Drawing 9] It is a key map according to working example 2 showing the outline in CTR 
mode. 

[Drawing 10] It is a chart according to working example 2 which shows the data of the 
path control signal for ad hoc network constructionand CTR mode is used. 
[Drawing 11] lt is a chart which shows the data of the path control signal for 
describing working example 3and disclosure of the relay information to a third party is 
shown. 

[Drawing 1 2] It is a chart according to working example 3 which shows the data of the 
path control signal for ad hoc network constructionand the public key is used 
temporarily. 

[Drawing 13] It is a chart which shows the data of the path control signal for 
describing working example 4and disclosure of the relay terminal address to a third 
party is shown. 

[Drawing 14] It is a chart according to working example 4 which shows the data of the 
path control signal for ad hoc network constructionand use of the hash function is 
shown. 

[Drawing 1 5] It is a chart according to working example 5 which shows the data of the 
path control signal for ad hoc network constructionand dummy information is added. 
[Drawing 1 6] It is a chart according to working example 5 which shows the data of the 
path control signal for ad hoc network constructionand is the example which 
concealed the history of RREP as much as possible. 

[Drawing 1 7] lt is the chart which each working example contained altogether and 
which shows the data of the path control signal for ad hoc network construction. 
[Drawing 1 8] It is a chart according to working example 7 which shows the data of the 
path control signal for ad hoc network constructionand is an example which prevents 
cancellation of a relay terminal. 
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REQuest) aSSfl|» 2 2 6 RREQ** -y h 7-*^7o- + 

Xhiift^. H bXADD s fc§fi«*©7 K UXADD D #7 F UXEttW 2 2 

7^&tt*w*n, RREQfc^ip^n, -atamans,, rnuxa, w*.tfiP7 k ux 

T'S^TJ;t\ MfM -y -tr-^PREQE (4, t 5 * -y 7» * ffi "T % tt« A, T* t> 

[ 0 0 0 8 ] 

ffltt * ~y "fe- .^RREQ*26Sfli» 2 4 6 tJ:oTSiL fc *!i«*T Mi, 7 F UXtBH 
§15 2 4 7fiCia«Jnftl»©7FU^ ADD T ,k§MLfc7 F U 7. ADD D t * YC « L T „ 3 
^5ST'l^i:k*^A^^ ^©7Fl/X ADD T ,tftiDLT, RREQ* 7 P — F * * * h 

v n m t z = 

[ 0 0 0 9 ] 

T 2feffi*T l i:|p)«©i5M«*T9 0 
[00 1 0 ] 

MM* V ■b-i/'RREQSSM bfcS€«S*Dtt, 7 F UX82ttgfl 2 6 7 fcfEtt* n/c g 
# © 7 K UX i: ADD„5& J±« LTS^^T'iSCl;*^*^^ RREP (Route REPly) 
9$'Jffli^ , yfe-v ; ^ c l 3 ^7F^Xlf^*3if-Lfcfc©*^AaLT, a- + tXhtIfe 

[001 l ] 

RREP* § mLfc**4K*T 2 tt , *i7FUX'UhK@»07Kl/XS«lt5l:, 

+ F T? is i£ -T * „ 

[0012] 

ctJm4S*T 1 S * T 2 i:|^«©«13i*fT3o 
[00 1 3 ] 

RREP*£MLfc2Sm«S* S fci, 7 F U X 1*« ADD S fc ADD„ ® to * & . ZtDfemt 
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-> T 2 -> D ) aU^K'^, 
[IfttiKl] #1 2 0 0 3 - 2 3 0 1 6 7 !§ & fg 
[ fS Hi! © 1$ m ] 

[0014] 

fritz* 
[0015] 

KT\ # f£ IB © » ffi li , 7F*fn^7-^t*^T RREQ i: RREP© lg II £ fr 5 C 

*ffi#-f S c 4: Tfe^o 
[0016] 

[0017] 

±iaoaH*^fi!t-r « fc6o*awo-»tttto fc r f* -y * * -v h 7- 

£ fig «T lit ? »5 * <tii©fflfia£*i:©il<f **Td&§{aSI3£7 F * <y * * -y h7-**li& 

SEii*o7Kuxi:Si8*o7Kux*iBi , r57Ki/xiaii» : as*»tt*a 
: ssiS*©tiEiES*fSff't3iE(B»»fTff; aBtsi^ofy^n^iffit 

% r 5> # ;V * £ ft $ W : 7H*'yn7h7-^7nh3;H:|ot, SB«*©7 FU 
[0018] 

ft "T 3 SB ; RtfS«Lfc«**fe-r-**MT*«*»**i LTfcfi^o 

[0019] 

bT«uabfc7 9 -**^o-K* + xh3asa-r*aPB: f«**t*^T, aim***** & 

&fi£ ttfc3M«4S*7^*;l/»£* B Mb, 7 F*<y **SKg#M*fK*«iS*7 F 
T. SffllLfcT-^t SI«*f^?;H«* in LT«$Lfc 7 F * -y *«KjS«Ffs*§ 
[ 0 0 2 0 ] 

#58iE©^jS0!lteftiUf, RREQ i; RREP© BSE £ ft 9 c T? , g*ofcHK{BI»1tlfi*fei; 
TbS 3fe»tt*lilii-r*^ fc^T?**. 2f£f34SS* J f>*«ltf!*©7 F fSH 

*Rljil4l8 0BiR-rac: fcfc«fc 0, £ = # ft* S 75 >f fi± 

[fgB^^^;6isi-sfc46©sm©^^] 

[ 0 0 2 l ] 



$J o ^ r © M 51 * ^ S o 
[ 0 0 2 2 ] 

•fl^OfSfcioT, ^y-K (4S*) hCA (Certificate Authority, g 

M) ©M»*{£?#LT*5 »3 . StfOfEIHfSfcfSftT-t, » !& « * ft" l£ Rlffi ? fc * o 
[ 0 0 2 3 ] 

• fi^ofatioT, afcHJ*&i&£iH§ffi¥©7 F*uxfcM**SiS£ 

s . 

[ H SS #J l ] 
[ 0 0 2 4 ] 

4 0 0 li, U^IXF/'J^7^?!4S 4 2 2, M 4 2 4 , BSmSM 2 6 
7 K UXlBtlgP 4 2 7, 7 F UXitBSB 4 2 8, a 8 ft 4 SB 4 3 0, IE HB » IS fr SB 4 4 
0, f^^l*ff«S 4 5 0, MMHSM6 0, iS5ffgM70&tft*tiaM80* 
WbT^So coilSli, IB 5 nr. ^M^^lM&M&lifiSc^t- 

[ 0 0 2 5 ] 

^lXh/'jr7^Bi 4 2 2 ?5g£2nfcMMM* >y -fe-^RREQ*. £ S 
ft SB 4 2 6 A* * *y F 7 — Jr'vT'n — K + + 
[ 0 0 2 6 ] 

£SHWlfc»^T*4, B5t^*htW5J:5t. RREQT? l± , & * -y 7° IB (t4b%, 
&<14S*S-»*«*S1*T 1 ^^^4S*T 2-*S«**DOlHI) KM*ML, RREPTtt 
% iyFH (t4fc^, §<§4K*D-»2HItt* S ©M) o»i:BE*IfflLT^«, 05 
©5-5H3fcgfc3SI5$Hi* HitJLTiLT^S. H5tStHoncett, SL l& f§ ^ BP 4 
3 0 fcTB£Snfca»**ift-r So Cert x «, IEW»«ftSIJ^«fT-r S«*X©flEHH»* 
Iftti. Sig x «, MI*Xfc:J:*T5>*;l/**-efc!K fV^;H«ft)S»KJ: 

ns, 

[ 0 0 2 7 ] 

ft^flWflDDSRJCfeV^Tfi, RREQ, RREP© gfiE * ^> T V & » M flfc 0Jk V> TJi , 

z ft z <d m ^ (ommz ft ? <d ? % % ° rreqt- * « / - f § © ig n * ft ? © t- , ii {i © rr 

EPT? tt x ^ K IB O BIE T? + # T? * * # *. 6 ft * . 
[ 0 0 2 8 ] 

ttTt§S*®»fftOf|{B^1-5o 5t-f2imS«5|cS©a»«4ai54 3 0 s a % None 
e*ft£f So HE E * « ft SB 4 4 0 *<, Cert s ^filft-r So frJPStf 4 2 4tf, «J » * -y -b - 
->*RREQfcNoncei: £#©iEI!l3»Certs*tt;!ni-r*o a $ Nonce* *P f S © « . * >y F 7 - 
^SaS*fr^5ft«>7S5. £fc. 3<l«S*tt3HIiS*©1*«*&? LfcftSfctt 
Tftift^fc*, RREQtSifl|ii*eilOlEW»*(*4nLTfe< o Nonce h IE 0£ * Cert s * in 
L fc (I # RREQ© f7^-^F^MItLT, x 5^ * ;1/ » £ ft J« 8M 5 0 , g # © x 2 
;l^£Sig s *Mt So Nonce, Cer t s & tf S ig s AH* AP 2 ft fc ft *f RREQ* , MSflSB 4 2 6 

[ 0 0 2 9 ] 

<l#RREQ*S©Lfc*«UI*T 1 ®*IE»4 8 Otf, 1^®SST\ § is L, fc {a # RREQ 
fc-a-SftftHonceOfctt**?* o U> NonceAH « m S fB L 7c Nonce© fig P§0 C « £ K » 
% 4-@©RREQ#Si£{f T?&S i:gILT»«f 5. NonceA^ 30 tf> T § fit 1" S U V & S « & 
IZ It , II SB 4 8 0 % ftl * n T ^ S E W » Cert s * ffl T , 2HaJSB*©7*S>*;l/**S 

tfc«lTi»«T?li^:i:*il8t5. Sibfclfk:"1'IS*T iStoTFU 

XADD T1 fcffiB£#Cert T1 tttttML, it Ha L It E * £ J* b T Mffi * T 1 @ # © 7 s 
#;l/»*Sig Tl *ffjfi1- S„ ADD T1 , Cert TI> Sig T , * ttJ)P L RREQ* * -y F 7 - ^ ^ ^ P 
-F + tXFT'fiStS, 



[ 0 0 3 0 ] 

i*i«S«*T2fciti««5fcTlfc|B!*©ft!JI*fT5o fc fc L , <tiDS tlTl^HSCert 
TI *ffl^T, $«$*T 1 ©r i/**;l>S«Sig T1 £«ffiL, * « 4Si * T 1 6 S f« h It RRE 
Qf§*§£ADD Tz . Cert T2 , S ig T 2 * in L T * -y h 7 - 7 ^ f u - K * + X h ? 21 1 S . 
[ 0 0 3 1 ] 

i^iSST 2 7b> 5) ©RREQff LfcM4S3fcD®ftfiEgM 8 0 tt , Nonce© II £ ft 

5„ fcU Noncetf, W M g ffl L fc Nonce© tt fc IrI U tt * ^ 0 © RREQtf « M {g T* S S 

tS«LT»*t5. Honce#WfcTS«t*tf-efc**£fc:tt, iP £ tl T <^ S M » C 
ert T2 £ffl^T, ^««*Or ^^;l/a*Sig T2 *tftlE-r5o ADD D g # © 7 F U X i: * J± 
$$LTg#?gT&S;ii:£Ig§a-fSo #ta*nTV»*IEW»Cert T ,%ffl^T, *«4S*© 10 
T^^^SigSign^ttE-r*- iP S tl T ^ S fiE W» Cert s *ffl^Tx E&ffiiB*©?^* 

;]^£Si gs £#ifiE-f So chftofiioitli, IILTtii\ 

[ 0 0 3 2 ] 

SMSS*D©U^xXh/'J^7>ril4SPti:«tt)«4LfcjS«FSJW^ >y -fe - ^RREPfc ft 
bt, RREQ©rt£©=i X-*ttbQt So RREQ©rtS©^ kT - * ft] L fc RREPM © £ 7 -f 
-;l/K*WfcfcLT, SfiHB5ttDOr^*;l/**Slg,*ffja-r*. Sig D £ttj)P L fcRREP£ 
a-^ + XhTjMflS^S^c&fg-rSo 
[ 0 0 3 3 ] 

S^4S*D3b^©RREPm^*S€Lfc^at4SI*T 2 ti» Nonce© ft ffi * ft 3 . «7F 
U X U X h t S # © 7 H U 7s ADD T jSRItSSftft. l ©l^^f + U h 20 

-egg-r s„ 

[ 0 0 3 4 ] 

* « HI 5fc T l & *3i«*T 2i:|SHi©M£ft?o 
[ 0 0 3 5 ] 

T 1 UST'RREPfl*! £gf§ LfciMflS* S ©&ESI5 4 8 0 tt , ft "f Nonce© 1ft 
IiE £ ft o fc & , tt"FOffia*fr5o *&7KUXUXMcg#©7KbX ADD S * « JIT? * 
^V>fc46, g#?S©RREP-?&Sfr H 3 frfcfcfiEf So ADD S> ADD D , Nonce, Cert s , Sig s © 

fcSE-f So ffcSKSOSigfclftiETSo T&fr*>, RREP*RREQKtl*;fr*.TSig,»*l»£ 
tS 0 Sig T2 £lftIiELfc^ ADD T2 , Cert T2 , Sig T2 ^^£fS 0 Sig T , * 1ft BE L fc ADD T 30 
Cert T1 , Sign^iit^o * IK » » 1f « (S-*T1^T2^D) * 61 % t S => 

[^Jfiflfl 2 ] 

[ 0 0 3 6 ] 

H6flSHlO*#JIBLfctf&, # BJ3 © M 2 t o T 0£ T S o 16«, 05 h 

So 0>J*tf, Wffln-tftf H£*ft*il!!*T?tt, SEW»©«afc 0 Cert s tf, t> ^ T 
[ 0 0 3 7 ] 

fa\ 7° 7 -T Xi/ - ft ■ IR] ± © fc * t » H6 0«»»7^-;bF*SfcDKL*»i»e. 40 
#j£^ft©[i5CM-c--&S££3fr£s r»»7;PdUXAj H^lftiSo B| ^ ft i: « 

^{tJcRi:a*ffi3i:i:^e., ss&fflatfRjflEfcfcSo l l ; m h # rttiu # 

tb S o 
[ 0 0 3 8 ] 

B7t^tMTIi, m m m * S © 7 H U X ADD s kLT-«f7FUX*lffiL, 



A^i, pg ^ it e $ ii -r * a t a ^ <t iz fig ffl f 5 at t r , znzti&omzm^zfi-A 
T*fe* 0 LfcJt75©8t* r&M«j fcpf^'o r*g$«j i: r^Baa 

jH77ff)St5. r ^ St J O^tt ^ ML. r & $ it J « S M S*Tfifbt^<o 
ag^ fbf :-_^ ^ g | t5i «^fbx-**^ff LfcSM*^. «S L T fe ^ fz ®'& 84 
[ 0 0 3 9 ] 

E x [y] tttXO^Miiffl^t^XySttt^tSCfcSIfttT^S. 0 7 
l^tgflS* S Kfc^T, SM4S*D©7 K U^ADD D , 3M <H * S © E W » Cer t s Kl tf 
x^^l/SfcSigs*. SM«*DOttll«"ei«*{b (E„ [ADD d ] , E D [ Cert s ] , E D [Sig s 

(e s [Sig„] ) ts. L L , cosatattToKi^ss. 

[ 0 0 4 0 ] 

W^ttSttHtlcraUtttftSfc*, ADD D l±*Hll£tf E B [ ADDj) ] ^5 " fr L ^ " 7 K U X 
[ 0 0 4 1 ] 

2. -B$7KUXfc«LTfc, [r1 C <fc 7§i;ltttf#ftt5. 
[ 0 0 4 2 ] 

[ 0 0 4 3 ] 

2 * raw fa,, A>f7'jy Fdfsatiftif, Btsra**TMT®J:3a*is!*tT3. 

U *^7TttHti. rfillj C^ttfiML, r»«*j tt§l«*DT'Sf LTfe 
TSfS*DtlS. i£{§4S*Stf, Bg*f{fcLfc#iI»£E^T> ¥£r-*©*tftM 

ttt, S1«*S^, t-r> 3 ySK«^»TO«Ii (Session leytWS) fcffll^T 
^_ £ 0#ft*W#fl:*fTV^ Session Key * £ M SI T? Bg ^ ib b T S ff flg * D il $0 1" S 

[ 0 0 4 4 ] 

0 8 K^tmmm^&^rit, ^i«*7Kl/XADD s t;:(J-^7FUX*IIL, ^© 
[ 0 0 4 5 ] 

S ©SL$58£gP 4 3 0 (0 4 #88) ff, atfll«*0-«f 7 K U^ADD S *7 > ^ 
AtftStS. ft»f&£SB 4 3 0 ^JBtt'r>3>^- (Session Key) *7>^AC 
IBftftKLSffi 4 6 0 tf§f«*D (D'Ammrmmt LT, E d [Session Key] * 
ffUt4. E, [Session Key] li Nonce© «* fe *fa S C T- t * fc * . H 3 t ft It S No 
ncefcHiJ&L, ft^OCE, [Session Key] **Otilt|*<PA4. M8tMgl$4 6 0 
tf, Session Key* ffl ^ T » ft 81 Bg ^ © ft U (»«ia»IR5>J) * f§ * - M * » 4 7 Otf, 
&«**-l$7 KU*ADD S . SI«*7FUXADD D , fil * © tt W * Cert s & tf r ^ * 

;l/g^Si gs (£T©7 w K**f*fc Lfc»«) ±f2»ftia»*M i: fl&w»a» 

* ft » "T 3 o jMSmgP4 2 6 *^ £ ft £ RREQ LT 7D- K + t X h Kit *. 
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[ 0 0 4 6 ] 

RREQ^gfSLfc *HS*T 1 tt, «F^OS«*WrSRREQ«S*^ORREQT*feS fcSjEL 

TSigsOttaEtttT^r (combe *2t5. ) , H3fcra«4saa*L 

T £ iM I" 3 „ *«Mf;fct>lRl«&«L3*LT\ IE £ T 3 0 
[ 0 0 4 7 ] 

*«4K* T 2 &RREQ*§« Lfc£M*Dtt«T©B!S*tT 5 B 
[ 0 0 4 8 ] 

§f L fc»Bg*f {fc«SI«E D [Session Key] * g # © IBffi « * ffi T « *t ffc L S ft 
» (Session Key) * % 3 = « © «g * t# 6 ft fc Sess ion KeySrffl^T, ft ft St Bg © tfi ft 

Hi H ft £ $ 3 £ tt iot, f-??:«7ct5L t^t'tSo 
[ 0 0 4 9 ] 

£ ?|J hte H & 3 ) *E^TM*Hfc-rSo t5b^> *rL^8fcia»£*»Ji:ADD s , ADD D , 
Cert s> Sig s , S i gD t © M W H 9 ft £ & £ „ «*£ o T RREP© ADD S , ADD D , Cert s , Sig s £l± 
, SfcD©a»&?'J©^X*tf*ft ; ffttt2ftT^S£i:££a 0 
[ 0 0 5 0 ] 

T 1 , T2^14 b'TK^*nfcRREP*Sfil L S(i W T © & S £ 5 „ 
[ 0 0 5 1 ] 

t c iinft', sftin^oftfflt-Kto^TiiRtffibftfroftff, » ffit a ft & A 
* a ^ t z> k. it . CTR* - K T? 4) fU ffl # - is « t* & a o 

[0052] _ 
0 9 fcttCTRt- FOlStSLT^i. Initialization Vector (WTIV4: a "5 ) 

[ 0 0 5 3 ] 

|10li, 0 8 *3 V> T *f ft » HI ^ © f'J ffl * - K E CTRt - K % S £ L tc M T* & S „ 0 
[ 0 0 5 4 ] 

IV&Session KeyhiigLT (UT" I I " © IB * T? £ * f 5 ) S£ "T 5 Z. t t L . See 
d=Session Key I I Ivfct^o ctti, £ (S « * S J: S (S * * DT? & fi K M < Z> X r> t L ( 
^^ct s> ctjttS) , ^ -y h 0$fc»fc Z. ©7 J -fr Kfctttair So ftfect*W>^'J 

^^nciiti^^f »-©«## sgH#£«ftsfc«>* i^i#tt7y^A%i*u 

OSTiCktt*. Sfccttt Nonce©* »*-&^fcfrtrfc«K ^ £ T* ED [Session Key] * 
Nonce t LTffi*.Tl^fctf, filTT tt ctft* Nonce© « »J fc tfeOttSo 

[£«0>J 3 ] 

[ 0 0 5 5 ] 

0 1 1 a tf l 2*#HRL4tf&, *58«0^*«l3li:ov^TKiBt5. 0 1 1 tt , 0 1 

gtTP5„ tfiSHtaOiesiHttO^TiSfeT^^Sfcs 2SmiSS*Si:S^iS*Dli Source 
Rout ing£ ft o tc tb £ T © (f M test * © IS « * a S & K » § , i|iiS*Sftl4ttTOW 

Kr T * ft « + » T? * a o 
[ 0 0 5 6 ] 

1. RREQE M L T (i ^ £ # 55 T* S © B K . it W O *^ & ©*« O IE S tt. 

[ 0 0 5 7 ] 

2 . RREPfc »LT«, KI7 K 1/ X U X HCg » tf^ $ tl 5 ^ if a o 
[ 0 0 5 8 ] 



no j 
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UtHSIO, ft * S i: S m f# * Dtc b # & 4 i> i 5 £ H W. t 5 © 3 £ b v> 

0 f r.t\ Ut T T? tt 7 ? -< *s — © fa -t © & iz ^ Hi l <D m &• 7 -< - ;U K % S t Dtc b 
# £ ft ^ i 5 C M 1" 3 #0 1 ^ ^ T B,J§ "T 3 * 

[ 0 0 5 9 ] 

0 1 2 , 0 1 10*i»tt7-f-;l/K*HiK-rSfcfcK* RREQT* (i - B# & IP3 » * M ffi b 
, RREP-Ptt»fSs«W^OW**J6*Lfeffil*^-ro 08, E9 1 Oi:Sft5Sai*tf6lcW 

t k m m t & o 

[ 0 0 6 0 ] 

2ff34S*S<£>a&8£aM 3 0 , RREQ© M fS ^ ft •? . - B# M tt ( K + ) - B# IS 
ma (K-) 0^7*7>^AKSSt5 0 -«p^M«K + i:-«F»*«K-fc* RREQfc 10 

iiinb-rgfi-r -nsa*iK-o*HffiaR3Rwo»iiswiiiao»ft^i"*. 

[ 0 0 6 l ] 

RREQ*SfllLfcif ««*T2tf, § # «fc »> W HU © f « « .* © fit « ( C © * £ ADD T , , Cert 

Tl , si gTI ) * k + ztm^Tmm$m<t? s„ jRa^^fttsacj;^, 

[ 0 0 6 2 ] 

RREQ*StebfcSm«S*Dli, WTOfflSfcfr?. 
[ 0 0 6 3 ] 

(f mSSSS^Sig^^EI- a o Sig T2 £^SE b ft ADD T2> Cert I2> S ig T 2 £ £ -f 3 0 20 
^***Ofll«^#*-e»««K-*ffl^T*^r*. Sig T1 *fc!E-f So ADD T1 , Cert 
T1 , Sig T1 «£f So Sigs^^llt-^o 
[ 0 0 6 4 ] 

[ 0 0 6 5 ] 

a«tt*D^igfl|-r*IRK, RREQ^ 6 3 t? - b ft £ T © 1f « K tt IT, g fl i8S * D 7? §t 

Bg^fbb, RREPfcftlSf *„ V** K-, K+, E D [Seed 30 

1 , ADD T ] , Cert T1 , Sig T1 , ADD T2 , Cert T2 , S i gl 2 t fe "7 X * /< * > © £> d t \Z ft 5 

[ 0 0 6 6 ] 

RREQfr £3tf-bft£T©fif$Bt<:^X7^£y#&tt£nT^5©T, ADD T , fcADD T2 li 
BKSftTfct) , ****fcfc^T«giJ*nJ1Hi:4S. UT\ ADD T , ADD T 2 © 4 « £ if 
iSflfc*l7 K b X U X h7^-;l/ Ftilftt5 0 
[ 0 0 6 7 ] 

RREP{I^£3HB LftSiffi^Sti, ttTO»I*fi?. 
[ 0 0 6 8 ] 

§{B bft«*t{fc«il&E D [Seed] % % ^ ft b T , «IEt5. ifl7 KI/X'J 7 FES 40 
#<D7 KU*ADD s *3SJi-e*ft^fc«>, aS^W^^t. ADD S , ADD D , Seed, Cert s , Sig 

^^It5„ ^mSl^«©Sig*^liE-r So fftfr^x RREP£RREQ£|l#fr*TSig D *l£ 
Sig T2 *&SE bft^s ADD T2 , Cert T2 , S ig T 2 * It £ T § . Sig T , * ttK b ft & , AD 
D T1 . Cert T1 . Sig T , * T S „ *»«K1t« (S^T1-*T2^D) * 51 Jg <T % 0 

[ m m m 4 ] 

[ 0 0 6 9 ] 

0 1 3 &ri@ l 4 *#Mbfttf *«ifi<0«ll«l4fco^TIBWt5. 01 3 a, 0 
TSLT^S, *|«*07 H bXtcM U fe pJ ft PI »3 , ^ fl W * S t £ fl 4^ * D i: 4- 50 
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ust m a 5- e t ^ » A^fti^^ciitsiit^asu^ ^:?» 7* ^ ^ ~> - © ft ± 
© fc ib t , hi 3 0 m i& w- 7 * - )v k * m m m * s t % m m * d t * m as * s # k u ^ # 

[ 0 0 7 0 ] 

18¥&WJ!ifcLTtt, ADD TI , ADD I2 *-l*7KUXtt«^i£* ? fe5* , > £ © 7J £ f£ 
■P tt K K © ^ 7" h % 9 C X L tf ?>< PI U * IS 7 K U 7 if ffl * tl T L $ 5 fc fe , ^ * v 

e ? n % 75 # , ±97^ ><*>-®»afca^ ^p^itMits 

[ 0 0 7 1 ] 

0 1 4 U: 0 1 3©*aiJ7^-;UK*HK-rSfci6K, RREQT i± a # * - us & n a Bg 
^ L , RREP? BaRCAyJ/aBRtlffllftM-efeS. 12 9 ttiSSSffll^fili: 
ttTtRWt*. fcfe, rand x t tei£3fcXT*&£ LfttS, h (y) i: By© a >y afi^t 

»;J/afj fcffcfnS. "SHA-l" " MD5" lA 9 m 'V > a MIS tftt * « "P * <A 1* tl fc 1 

if , x-^tfiiM^T'&^snT^fciAfrfciis^^fctfT'tSo 

[ 0 0 7 2 ] 

RREQ*£{ILfc*«4S*T 1 (4, £ E O 7 F U * ADD T , O ft b »> E I + [rand T1 ] 

ts. 

[ 0 0 7 3 ] 

T 2 T 1 kHiOffli*lt3. 
[ 0 0 7 4 ] 

RREQfcgfS LfcDtt, rand TI , rand T2 £ML, ADD T , , ADD I2 O O ft t> D £ * h(ra 
nd T1 I I ct D ) , h (rand T2 I I ct D ) Srilfflf So 
[ 0 0 7 5 ] 

RREP£g{f L It T 2 tt, g»©7 FUX^h (rand T2 I |ct„) fc L T B K t* S » 
[ 0 0 7 6 ] 

Tl t T 2 ^iRHtOM^fT^o 
[ 0 0 7 7 ] 

RREP* S m t 21 M 4S * Sli W "F © «a a * fr ? o 

[ 0 0 7 8 ] 

*i7FU^Uht'^07FU^*%it5K, h (rand s I I ct D ) ?:^St§ 0 r 
and T i, rand T2 £]Rf#1"£o 

[ ^ m m 5 ] 

[ 0 0 7 9 ] 

0 1 47!jS0 1 6^ISLSff^ *5SWO^«fi»J5fc-O^TBiWrSo 
[ 0 0 8 0 ] 

0 1 4 £ # fig ? S 4: , RREQ© 7" >v F ft * RREP© * « 7 F l> 7. U X F 5 , 21 fl Sfti * S 
[ 0 0 8 1 ] 

• RREQ : /^-y hlA^, *»SS*Tl *<««**SOBUi:^* c ttfftfr% a 
[ 0 0 8 2 ] 

• RREP : *»iB*Tlfcit»««l*T2««ieK (£K) "Ttltf, * « 7 F U * U * F £ . 
Sm«S*Dtt*«ig*T2©|» ( Stt T 1 © » ) ffc«Ci*^A^. * C -e , 

(a«)*SfflLT^««*sRtfSfi**DK*»iiii*T**a^©J:5tifsiit)-&ac 

iitiO, ^®«*S4:S«illS*D©fll«*Rl«a:H»)BiRt-Sffil*KW-r*- 
[ 0 0 8 3 ] 



KM) 



mi 5 It. &M«*Sfr £©RREQm^Rtf£faffi*Dfr £©RREPm*l©&4 *"5-1f 
SB © 0>J « S 4 % Sail * * EWTtMtS. ana « * si* . rreqii # * 2" 5 - © 

^MStffB (HI 5 T*ti 1 ^«t^*jS"»-r £Dummyl, Dummy2) % it 4- * 3 » ^ 5 — If $B 

M * £ © K SU o ft ^ 0 
[ 0 0 8 4 ] 

RREQm#*£f§bfc , t l »tt*T 1 tt, Sig s ©t£SE£tT 5 . fi Su ± IE © Wl 7? tt S ig s © & IE 
#T* # ft o fc ©T*, iSOl? ©RREQliSfr 5 ©RREQT- & £ h 3! £ L T S i g s © BB;Mt 
fe ft o fc o * M m m T? It > Sj^ « ** © * D * I" S * E W » Cert s * W *^ * « «t 5 K 10 

ft o > si * s "J m t ft o o 

[ 0 0 8 5 ] 

RREQ£§{! LfcDttWT©ftia!*fT3. 
[ 0 0 8 6 ] 

-H&IBMK-*ffl^T*^fl:U ^ $ M S © S i g £ S ^ <FJJ fr^ )i # ^ & II L T ^ t 

, cert s tfws-r*STf*tt«ia*»oig-r. *w±iBoffii?tt*«y- kw*#<*®« 

£ 9 * 1" & ft , * © 7? & J§ ffl T' t ft V> o 
[ 0 0 8 7 ] 

§{§4S*DU:*5^-Z\ RREPft^©**l*7 F^'JXht, * 5 - 7 F U * (01 5T'li 20 
2 0#©DummyADDl, DummyADD2) * ^ tP L , »«ia»*J>Ji:®J*fl!l«ltaa*flXS. 
[ 0 0 8 8 ] 

RREP{g^£§<§ L 2HI « * S « , f|i«|«B«©SigO*tt*2Sfttt*DfcBI«lK:h-do 
[ 0 0 8 9 ] 

»n*fe * fe * tRREPfi^©rtSt±5Mff S&tfa«4K*D 

^iJ^B«T?#ntf + »T?fe»), S6H#tf*SiJ*T*&Stt&^„ RREPfc^O* 
tt*nJ(!6*lfit)ISiR-rsWJj:o^T«Tk:SiWrSo 

[ 0 0 9 0 ] 

0 1 6 It, RREP©H14£ nJIgftK K> H«lfci-Pfe5. ItaoW fcSftSiaitfit 30 

ttTKKflt*. 
[ 0 0 9 1 ] 

§€«S*Dl±, RREPffi*§©ttJ«fc*fc 0 > WTOffiSfcfr ? „ 
[ 0 0 9 2 ] 

RREP©ftfr9£, SSMS* S ©*^RREP^Data^*WSiJT?**S 2 ©»gij7-f -;!/ F ( 
RREP/ Data) * }£ to t S o 2" 5 - If « (a») toXr 4 V 9 & (01 6 t 43 H" * 

Dummy Padding) 0 Length7 -f — 7b F £ jI ilO L T * Dummy Padd ing£ B£ < ft £ £ IS S "f £ o 
H 2 ©^glj7 f -71/ F, Dummy Padding, Length© 3 O fc ft , S ft ft * D# 13 /£ b 7c V X * 

# > £ It 5 o 

[ 0 0 9 3 ] 40 
RREP/ Data* gfl L 2! {§ « * Stt, SIUI*Dtf Uft V 4»Lft«t 

[ 0 0 9 4 ] 

l . SB20«9J7-f-;I/F*5 RREP? fcScfcfcBij-rs.. 
[ 0 0 9 5 ] 

2. Length7 - 71/ F * # H L T , Dummy Padd i ng* |$ i "T 5 0 

immm e ] 

[ 0 0 9 6 ] 

hi 7 ic * % bj§ © ^ M en 6 * ^ -r o 01 7K*?nmm6it. ±mmmm^±r^ h,r£ 



Hi) 



[ % m m 7 1 

[ 0 0 9 7 ] 

# £ , fix T 2 H ft O S f m M * T* S £ t & £ x * * *S * T 2 * tK «8 * T 1 CO 
[ 0 0 9 8 ] 

0 1 7*#SSUTKIflt«, e£ M * T lOfffg^cDififflOS* Dummy2© Iff $g t £ ^ 
[ 0 0 9 9 ] 

0 1 8 \Z7T,? <fc 5 fc, T ltJS^T, ^ BtOfiS*T*SSDuMy2©1t*lcW 

LT, *»4S*T10ll!fBU:£t5<K T1 = h (rand!, . Cert T1 ) * H £ t % 7" P V * * ^ 
£«fcSHg#<t*fi6-f = rand T1 fcl±SS*T 1 T-St^Lfcaa, Cert T1 l±, II * fS ft ®> ft IS 
fr f § £ * T 1 CD II m m T* S *3 , h (y) ttty^r>al*l«l/T^5. 
[0100] 

4>iS*T 2ian^Tt, *©iftia©«*T-fcSTl<E>1tffik:#LT* * « 4SJ * T2© 1t 
«KI^J< K i2 = h (rand T2 , Cert T2 ) * & £ ? Z 7 V y t ft mc £ Z ft mtZte* * V£ 

[0101] 

Dummy* ffl^fc»£*flfcfc»>*&M0J*ttHLfctf, * ^ S66 00 K: ft £ % B£ & 31 # f 5 
[0 1 0 2] 

±iBOJ:3ft#lric*fll*.se:i:K«fco-c\ fcbS*©fe*f«l***«±a[0*«H»*o 
1*«***»«:tt*Lfci:LTfc, SI**Dt*^T, «j*Sftfc*«ltt*itW0*ll»*0 
i*«<IL<*<!Sh4v^i:li:SS. c r> L X gfgJS* D , C © « & £ SS * E § c 

[0 1 0 3] 

*£tt0!IE J:ntf, E <fc s &Sfl ffi ft IS H *#<■*" S c: i: 

JcgKtt«%l9iRRl^T*fe0,SH«Jc*frs3MS1i#O7 p 7^/^>'-*^±*ftSo 

CjS*±©fijfflBriitt] 

[0 1 0 4] 

»miS*&tf7 F*-y £*-y F 7 - * *BKtfg#2 
ft£MX&W*§fflm#^£^T*iJffl1-* £ £ T**£ 0 

[0105] 

[0 1] ft * © 7 K * -y * * ? F7-^Oll?:StltlT'fe5 = 
[0 2] 8*©7F*^*9 h7-f«*Rl«6«:»«lMt*0«*7ay^H-FfeSo 
[03] ^*©7K*7^^7 h7-*«»©fc*©«»*J»fe#©r-***"r?-*- 
F T? S o 

[0 5] l KlSoft, 7 K*-y **>y h 7-fi80fefeO«BSJflfe§»T-? 

[06] ^^f?ij2*IK0i!T^fcfc©SK^fflm^»f : '-^*^-rf-^-h-efeO, S -# 
[0 7 ] 2tf ofc, 7 F * -y * * >y F 7- ^*80ft608Blflfef flf- * 

[0 8] II m m 2 E fit o fc, 7 F* <y * * -y F 7-*«36©fc»0«B*J»M0T- 2 



(.14) 



% * -r f- -V - h T» S 5 , /n "/ 'J V KBl^tffifflLTl^, 

[0 1 0] ^SSffi|2lC(J£ofc, 7F*7n7 h7-fi*OfcfeO«»*J»S^OT- 
^itft-FTS!). CTRt-FSftlbt^S. 

[0 12] £fl5 0O 3 £«£t>fc, 7 F*7H7 h y-^iii^fc^MitrM^x- 
[01 3] ^ffi#j4£tHi£?-sfc&©«i»*J»^^-***^**~ hr * s ^ m ^ 

[0 1 4 ] £«S0J 4 Kftofc, 7H*7n? h7-*«iS«fcft©*li&Mff ^t=- 
^itft-FT'feO, M -y 2/ a H » 0 *J ffl * * L T ^ * . 

[0 i 6] mmm s traofc, r F^n? h 7- ^iS0fc&©*sMM^©T- 

^^ itf t _ K .gO, RREPQ JR ttfcRjttaiBDIBRLfciWefc*- 

[0i 7] znmmozm^K* 7 k*v y «7-*«*0fc»0«»*J«na*<o 

\m*\ sTl^JV ttof:° 7 K*«y * * «y h 7 - * ft £1 O fc ft <D « Bg ffl IP fS ^ O r - 



[ «f # <d m m ] 


[010 


6 ] 


4 0 0 




4 2 2 




4 2 4 




4 2 6 




4 2 7 


7 F U X IS tt « 


4 2 8 


7Hl/7Jt«» 


4 3 0 


asanas 


4 4 0 


ie w » a tf » 


4 5 0 




4 6 0 




4 7 0 




4 8 0 





iv ^uub-286y«y a 2uui. 10. m 



[153 i ] 



[153 2 ] 

«*©7K*^c;*---/h7->fll*RHII<E*»«l*©«iS^affH 



* ., r 



-3' 



iv4 



[0 3 ] 



[0 4] 




no; 



)Y 2UUWS6y8y A 2U0b. 10. \i 





[0 9] 

Initializati on Vector ]| 

aft*?] 



im i o ] 




JH 2UUW86y»y A ZUUb. "10. li 



[013] 



qd od 




[015] 



EjS«.d] 
Crt. 


□ q 

ADD. 

___ApO. 


d q 

ADD. 








JiElJ 








h(rand..||cU 


h(r»ndn|ctj 
hCrandnloto) 
0ummvADD2 









[016] 



=#= 






K- 
CM 




CM 




CM 


CM 


)urr¥TtvAO02 






*± 






6*"*.] 






Sip 




[jib 



UU) 



JP /UUb-/!«bya9 A 2UUb.IU.li 



7py h^— i?ogE* 

F*-A(##) 5K033 AA09 CB01 DA05 DA19 DB18 EC03 



